Although blockchain and crypto have advanced in development and overall user numbers, they still pose security vulnerabilities to unassuming newcomers and beginners unfamiliar with industry jargon and basic best practices for protecting user assets.
Its 24/7, online nature further makes it easier for hackers and bad actors to target users and their digital assets. Cryptocurrencies and tokens are often the targets of these scams or used as vehicles to carry them out.
With the adoption and usage of blockchain-related applications such as real-world asset (RWA) tokenization platforms, decentralized finance (DeFi) applications, and other dApps on the rise, it’s more important than ever for users to implement best practices to avoid security threats to their crypto and digital tokens.
In this blog, we’ll go over some of the most common attacks hackers typically use to steal crypto user funds and assets.
Key Takeaways
- Crypto has expanded in popularity and interest, necessitating the need to be aware of best practices to stay secure when transacting with cryptocurrencies and tokens.
- Fake Applications and Phishing: Scammers can create fake platforms mimicking legitimate ones to trick users into connecting wallets and signing transactions that steal funds.
- Exchange Security: Leaving crypto on centralized exchanges makes it vulnerable to hacking. Using self-custodial hardware wallets is recommended.
- Counterfeit Tokens: Attackers can create tokens with the same name as legitimate ones. Always verify the token ID and trace it back to the original project.
- Private Key Theft: Never share private keys or seed phrases. Be wary of unsolicited messages asking for this information.
- Discord Scams: Fake giveaways, phishing links, and impersonation are common in Discord. Use a separate Discord account for crypto and verify all claims.
- Wallet Drainers: Malicious NFTs with embedded links can drain wallets. Do not click on links in token metadata, review transactions, and remove unwanted tokens.
- Fake Upgrades: Be cautious of unsolicited upgrade messages. Legitimate wallets usually update automatically. Use a separate email for crypto communities.
1. Promoting Fake Applications, Platforms, and Phishing Sites
Scammers and hackers can create fake blockchain/crypto (Web3) platforms that mimic popular and widely used applications, platforms, or sites.
They often copy the landing page in detail, including font and design patterns to present a facade of legitimacy and make them nearly indistinguishable from the actual application, platform, or website.
Upon visiting or using the fake platform in some way, users are tricked into connecting their self-custodial crypto wallet, which can lead to the theft of tokens or other crypto assets held within them. In most cases, the fake platform will ask users to sign a crypto transaction that appears to be completely authentic.
The difference is that the signature will sign off on a transaction that enables funds to be sent from their wallet to the hacker. Once this has occurred, there is no way to reverse the transaction.
Ways to stay safe
- Always cross-check the full URL of the blockchain project or platform with other known sources. In many cases, attackers introduce small spelling errors that approximate the correct website URL. Also, check the site’s security certificate and make sure it is updated.
- Never visit a website from a link provided on social media, email, text message, or any unsolicited method via an unknown third party. Always search for the platform using a search engine or official channels.
2. Targeting Centralized Exchanges
Centralized crypto exchanges typically offer many conveniences for those interested by enabling them to transact for cryptocurrencies, which may be needed to interact with different dApps.
They are a rather simple way to on-ramp fiat money to buy desired crypto assets and often offer many different cryptocurrencies in one platform. It’s this ease of use along with a simplified UX and relatively low transaction fees that make centralized exchanges appealing to crypto newcomers.
Related reading:
- How powerful is Yoroi’s self-custodial feature for crypto users?
- More tips to protect against common crypto attacks
- Explaining the basic key sectors of crypto
However, these conveniences may also lead a user to leave their purchased crypto assets in their exchange wallet. These are typically “hot wallets” which are connected to the internet and are more vulnerable to hacking attempts and other breaches of security. As such, exchanges are often the target of hacking campaigns. Since the private keys of these types of wallets are managed by the exchange on behalf of a user, any compromise can affect thousands of users.
Ways to stay safe
- Never leave crypto assets on a centralized exchange wallet
- Consider using a reputable, self-custodial hardware wallet (cold wallet) to safeguard your digital assets and self-manage your private key.
3. Creating Counterfeit Tokens
In the general public’s perception, token names and tickers are unique and cannot be used more than once. This is not entirely true, as the smart contract ID of a token is what makes it identifiable, and other things can be compiled.
This means popular digital tokens can have attackers use their token and ticker names without the knowledge of the original developers.
For this reason, they can be easily copied by other people and resold to the public. The ID of the NFT is what makes it unique and not the image associated with said ID. That’s what makes the scam easy to pull.
Ways to prevent this attack
- Always check the ID of a token or NFT collection.
- Track the crypto asset back to its original project before making any purchase.
4. Stealing Private Keys
Another common way to steal cryptocurrencies and tokens from a wallet is to take hold of a user’s private key. In some browser-based crypto wallets, the private key is stored on the computer’s local hard drive or mobile device. In most cases, it’s encrypted, making it somewhat safer.
For this reason, attackers typically create fake messages claiming to be from the wallet’s tech support and asking for the user’s seed phrase (private key) or other messages appearing to be from legitimate sources. However, most reputable platforms, projects, wallets, and exchanges never solicit and ask for a user to provide their private key. Most will never send an unsolicited message asking for funds or other private information.
Once a private key is provided to another person or entity, they can use it to recover the private key on a different device and steal the user’s funds.
Ways to stay safe
- Never share a seed phrase or private key with anyone.
- Don’t trust and open any attachments from unsolicited, online messages via e-mail, social media, text, etc.
Read more: How to restore your Yoroi Wallet
5. Using Fake Discord and Messaging Channels
Fake giveaways, impersonation of influencers, phishing links, etc. can be shared on Discord servers of popular crypto platforms and projects. Discord is a channel that enables community members to come together, chat, and discuss different topics related to a blockchain-related product or service.
These meeting spaces are very controlled, and it’s quite easy to create an atmosphere of excitement and opportunity. It’s also difficult to check Discord profiles, as it’s easy to change one’s profile name from server to server. There can be fake recordings that are played as if they were live or even recordings made using voice modification software to sound like someone else.
With crypto gaining more adoption, it increases the possibility of more fake Discord channels, profiles, and other messaging groups created by those with the intent to steal user tokens.
Ways to stay safe
- Create a separate Discord account from your regular one.
- Review any claims of free giveaways or promotions.
- Don’t automatically assume any message or link in a chat group is safe or legitimate.
6. Creating Phishing Tools and Links
A group of attackers can create an NFT that contains a link in the token’s metadata to draw a user’s attention. The NFT is then sent to several wallet accounts for free in the hopes that some users will click the link.
The link itself leads to a website that advertises a promotion, such as receiving free tokens, getting another free NFT, or getting early into a new DeFi or tokenization platform. Once the person clicks on the link and signs the transaction, the attackers can steal all the funds in the wallet.
Ways to stay safe
- Never click on a link embedded in the token metadata.
- Review the transaction before signing.
- Eliminate any unwanted tokens. In many cases, these are scams or attacks.
7. Offering Fake Technical Upgrades
Software such as crypto wallets need to be regularly upgraded like any other tech product. Attackers can take advantage of this necessity by sending fake emails or other messages to wallet users advising of the impending update, prompting them to follow a link and perform a “manual upgrade.”
Once this is done, the attackers can take any tokens in the user’s wallet and drain them of all funds. Because of the floor value of these tokens, the attackers can target those active in DeFi or NFT communities.
Ways to stay safe
- Never click on unsolicited links to “upgrade” or “update” a wallet.
- When participating in communities, never use an email tied to your identity. Use an alternative email address not linked to any social media or personal information.
Follow EMURGO on X and LinkedIn
Are you a business, developer, or user wanting to get started with asset tokenization or integrating blockchain? To inquire, reach out to info@emurgo.io.
Follow EMURGO on X and LinkedIn for regular content and updates on blockchain and Web3.
About EMURGO
- Official Homepage: emurgo.io
- X (Global): @EMURGO_io
- YouTube: EMURGO channel
- LinkedIn: @EMURGO_io
Disclaimer
You should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained herein shall constitute a solicitation, recommendation, endorsement, or offer by EMURGO to invest.
